The Board s role in anti-corruption compliance: Guardian and Guide. By: Eileen Felson, Director, PwC Frederic Miller, Partner, PwC

Transcription

1 Eileen Felson is a director in PwC s Forensic Services eileen.m.felson@us.pwc.com Tel: (312) Frederic Miller is a partner in PwC s Forensic Services frederic.r.miller@us.pwc.com Tel: (703) The Board s role in anti-corruption compliance: Guardian and Guide By: Eileen Felson, Director, PwC Frederic Miller, Partner, PwC Although much has been written about the increased regulatory enforcement risks facing companies, there has been a dearth of focus on how Boards and Audit Committees should respond. For example, legislation aimed at quashing corruption US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, the Canadian Corruption of Foreign Public Officials Act, and other anti-corruption statutes all can spell trouble for violators, including Board members. Why should Board members be concerned, and what is their role in ensuring compliance? The following points set the scene: Shareholder and derivative class actions against household-name companies seem to proliferate whenever allegations of bribery start to swirl. Many of these actions related to alleged violations of the FCPA appear to question, How could the company s officers and Board members let this happen? Recently, the Securities & Exchange Commission (SEC) has indicated in comments by the Chairperson that it will be increasing its focus not only on aggressive enforcement of individuals but also on the penalties leveled against them. One such penalty could be barring the individual from serving on the Board of a public company. Although SEC enforcement relates to a range of statutes, it is likely that Board members will continue to come under scrutiny related to FCPA enforcement and at least for now, the Board has skin in the game when it comes to FCPA risk. Can a Board member be liable for FCPA violations? In today s environment directors face the potential for dealing not only with the reputational damage and costly defense that can go hand in hand with headlinegrabbing lawsuits but also with the risk of increased individual enforcement actions. For example, the Dodd Frank Act advises whistleblowers to report to the 1

2 company first, potentially increasing Board members responsibility to ensure that the company appropriately responds to allegations. The Dodd Frank Act also lowered the bar on scienter with respect to aiding and abetting charges brought by the SEC from knowledge to knowledge or recklessness. Under 20(e) of the Securities Exchange Act of 1934, the SEC can bring an action against a director who aids and abets securities fraud. As clarified in the Second Circuit s August 2012 ruling in the SEC v. Apuzzo matter (689 F.3d 204), the SEC can bring an action against a director who provides substantial assistance to a primary violator of the securities laws, even though the director did not proximately cause the harm. When considered with the lower scienter requirement, it is perhaps more likely that the SEC could bring standalone aiding-and-abetting charges against directors. Certain recent FCPA-related shareholder and derivative class actions allege that Board members breached their fiduciary duties by: 1) not establishing or monitoring appropriate anti-corruption compliance programs; or 2) not thoroughly investigating allegations of FCPA violations. These matters generally include claims related to the Board s monitoring responsibilities as discussed in the 1996 ruling In re Caremark Int l. Inc., 698 A.2d 959 (Del. Ch ) This ruling notes that a director s duty of care includes an obligation to ensure adequate corporate oversight systems are in place. The term oversight systems could include both the company s anti-corruption compliance program and the Board s process for overseeing internal anti-corruption investigations. Directors could be held liable if they are deemed to have failed to either properly implement or subsequently monitor and oversee the company s reporting or information systems or controls. What questions might Board members be asking themselves? Although Board members have oversight rather than operational roles, the question remains: How might Board members improve and demonstrate their oversight of this ever-increasing risk area? Simply having a written policy in place isn t enough. Board members should be asking themselves and, perhaps more importantly, their management teams specific questions in the key areas of risk assessment, monitoring, training, and communication, such as: Do we conduct our risk assessment process on a country-by-country basis? How do we know the process is effective (have we been caught by surprise)? Who or what committee at the company has taken ownership of the company s FCPA risk? Do we perform site visits, in which countries, and why? Do the countries we visit correlate with our risk assessment? How good is our testing and monitoring program, and are we seeing improvements over time? How often do we, as Board members, receive required training? Who else do we train, how, and for how long? Do different groups or positions receive different training? Is the training connected to our risk assessment process? What new controls/procedures/policies have been enacted as a result of different regulatory enforcement initiatives? Are we staying ahead of these risks? 2

3 If there is an anti-corruption allegation, how and how soon does it reach us? Do we have a plan in place to address it? Where can Board members turn to for guidance? Regulatory and leading-practice guidance targeted directly at the Board s roles and responsibilities in effective anti-corruption compliance programs has evolved relatively gradually. However, the US Federal Sentencing Guidelines (the Sentencing Guidelines ) and the SEC s and Department of Justice s November 2012 publication of A Resource Guide to the US FCPA (the Resource Guide ) provide some direction regarding the government s expectations of the Board. Armed with guidance from these sources, Board members can perhaps better focus their efforts on their key areas of responsibility. What elements of effective anti-corruption compliance programs need more Board involvement and attention? Tone at the top and senior-level oversight Whether it relates to codes of conduct, anti-corruption compliance programs, or the company s day-to-day operations, a key consideration remains tone at the top. The Board should set a tone that establishes a culture of and commitment to legal compliance and integrity, communicated to personnel at all levels. The Resource Guide explicitly assigns to senior management and the Board of Directors the duty of instilling and communicating a culture of compliance: Compliance begins with the Board of Directors and senior executives setting the proper tone for the rest of the company...compliance with the FCPA and ethical rules must start at the top. (Emphasis added) The Resource Guide also notes: DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company s compliance program to one or more specific senior executives within an organization. Board members should consider whether assignment of oversight has been made to senior corporate officers with sufficient influence, resources, authority, and access to the Board, and whether those officers are sufficiently independent of those who could create FCPA risks. Risk assessment It may seem obvious, but performing a corruption specific risk assessment is not enough. Boards have to ensure that company management is not just presenting great looking and sounding programs that are, in fact, simply paper tigers. For example, the Sentencing Guidelines require that: [T]he organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [of the program] to reduce the risk of criminal conduct identified through this process. 3

4 The Resource Guide states: When assessing a company s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces. Although the majority of corporations continue to assign risk-related responsibilities to the Audit Committee, regardless of where risk responsibility resides (such as with a separate Risk Committee), if it is outside of the full Board, it can be difficult to clearly define that function relative to the Board. According to PwC s 2013 Annual Corporate Directors Survey, The number of directors who believe there is a clear allocation of risk oversight responsibilities among the board and its committees (80%) improved over the prior year by 17 percentage points. Yet half of those who say that there is clarity reflected that it still could be improved. Ownership of FCPA risk within the organization should be clear. Training and communication An important item that can tend to fall by the wayside is that Board members should continually monitor whether they themselves are receiving an appropriate level of training, in addition to performing their own monitoring responsibilities. According to PwC s 2013 Annual Corporate Directors Survey, More than four in five directors are using educational programs to stay abreast of emerging trends in corporate governance to effectively discharge their oversight responsibilities. In other words, Board member training should not be a one-time-and-done, check-the-box undertaking. According to the Resource Guide: DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors (Emphasis added) From a monitoring perspective, the Board should consider factors such as whether the training programs and communications: address the specific FCPA issues identified through the risk assessment process; reach the at-risk employee population; and are completed with sufficient frequency and impact. Boards should also make certain that they truly understand how management s testing and monitoring program works at the ground level. Indications of what management has learned from its testing program and the changes made as a result of those findings can be key to the effectiveness of monitoring efforts. Business unit contacts can also act as a good source of information regarding the efficiency of communications and the effectiveness of training efforts. Do Boards have the ability to benchmark? 4

5 Despite the increase in high-profile, newsworthy matters and the past decade of increasingly aggressive FCPA enforcement activities, public company disclosures regarding Board governance of anti-corruption compliance programs remain limited. As a result, Boards seem to have limited ability to benchmark their roles and responsibilities related to anti-corruption compliance programs against leading companies disclosures and policies. Publicly available information on these programs is generally either: 1) made in response to some type of regulatory inquiry, or is part of a Deferred Prosecution or Non-Prosecution Agreement; or 2) limited to policies such as the company s code of ethics or supplier code of conduct posted on the corporate governance section of the company s website. In other words, the information is made available after an alleged wrongdoing has been identified or is limited or generic at best. Regardless, Board members should consider including periodic assessment of their company s anti-corruption compliance program against available leading practices as another item in their monitoring toolkit. Board members can seek additional guidance in this area from other internal and external resources, such as the company s office of general counsel, the compliance organization, outside counsel and forensic accountants. What are the key takeaways for Board members? As regulators and shareholders keep their focus on anti-corruption, the role of Board members as compliance guardians and guides will continue to expand. Board members should hone in on the following points: Set an appropriate, zero-tolerance tone at the top Understand the who, what, and why of the company s FCPArelated risk assessment process and how that process impacts other aspects of their anti-corruption compliance program Understand how robust and proactive their own program is and what has been learned and improved as a result of testing and monitoring Receive an appropriate level of FCPA-compliance related training and communications Communicating a culture of compliance and establishing an appropriately and adequately resourced compliance program one that includes periodic risk assessments, targeted training, and effective monitoring can help reduce the risk that Board members will be subject to shareholder or individual enforcement actions for FCPA-related violations. 5